It is a good practice to use System Assigned Identity on Azure Resources, to grant them access to other resources.

For example, an Azure App Service needs access to a Azure SQL Database, so we use Managed Identity, granting the App Service itself access to the database.

We can then either grant the App Service access by adding it to the Azure SQL, or in my opinion a better way, granting Azure AD groups with permissions in the database, and adding the App Service into the given group.

So, the App Service has enabled System Assigned Identity, this is added to a Azure AD Group, which again is granted access in the SQL Database.

Checking service principal group membership

Anyways, how can you see what Azure AD Groups your Azure App Service (the service principal) then is member of?

One simple way of doing this, is going to your resource in the Azure Portal.
Go to the Identity site, and copy the Object ID.

Then, open the Cloud Shell in Powershell mode.

Connect to Azure AD by running “Connect-AzureAD

And use the command “Get-AzureADServicePrincipalMembership -ObjectId {yourObjectID}

In the output, you will see all the groups that service principal is member of.